CBI Review Finds Weaknesses in Risk Management Frameworks in Credit Union Industry
Reading time: 3 mins
On the 19 November 2021, the Central Bank of Ireland published the ‘Thematic Review of Risk Management Maturity in Credit Unions’ (the “Review”). Undertaken by the Registry of Credit Unions within the Central Bank of Ireland (“CBI”), the Review describes a series of findings, expectations and recommendations in relation to the risk management processes of the credit union industry in Ireland. The Review aims to promote and enhance risk management processes and culture within credit unions and to ensure that risk management underpins and supports credit union financial and operational resilience.
The Regulatory Framework
A new regulatory framework for credit unions was introduced under the Credit Union and Co-operation with Overseas Regulators Act 2012 which amended the Credit Union Act 1997 (the “1997 Act”) and was commenced in 2013. This created a significant onus on credit unions, in particular the board of directors, to ensure that robust risk management systems and processes were in place to deal appropriately with the risks faced by the credit union and the sector.
Section 76B of the 1997 Act as amended requires credit unions to “develop, implement, document and maintain a risk management system with such governance arrangements and systems and controls to allow it to identify, assess, measure, monitor, report and manage the risks which it is, or might reasonably be, exposed to” with systems and controls in place to monitor and manage risks and a compliance programme in place to allow the credit union to evaluate compliance with its obligations in respect of the risk management system. Section 76B of the 1997 also requires the board of a credit union to appoint a person to be a risk management officer to manage the risk management function of a credit union.
In addition, the Credit Union Act 1997 (Regulatory Requirements) Regulations 2016 requires credit unions to “establish and maintain a written risk register, maintained by a risk management officer, that documents the risks that the credit union is, or may be, exposed to and the systems and controls that the credit union has established to manage and mitigate those risks.” The risk register must be reviewed at least annually to review the risks and ensure that adequate systems and controls are in place to manage those risks. Furthermore, section 55 of the 1997 Act as amended requires the board of directors to review the risk management system and the risk management policy at least annually to ensure they are appropriate and the board is also required to “implement a risk management process that ensures that all significant risks are identified and mitigated to a level consistent with the risk tolerance of the credit union.”
Credit Union Risk Management Weaknesses
While the Review found “significant progress” was made in credit union risk management since 2013, several areas for improvement were identified where credit unions do not meet the requirements of risk management expected of them by the CBI. In particular the CBI expect boards to ensure that steps are taken to embed a strong risk management culture in the credit union, taking account of the nature, scale, and complexity of the credit union.
The CBI has previously reported that the strengthened financial position of credit unions since 2012 has made the sector more resilient to deal with the current challenges. However, in the context of the credit union sector’s continued focus on framework change and engaging in more complex activities, the addressing of credit union risk management weaknesses is particularly important.
Risk Management Weaknesses
The Review found that there is a lack of comprehensive engagement with risk management at nearly all levels of credit unions and identified weaknesses in board oversight, stewardship and ownership in respect of risk management. There was a lack of evidence of robust discussion at Board meetings on risk-related issues and inadequate communication lines between boards and Risk Management Officers, especially in respect of decision-making surrounding the mitigation of risks, and over-reliance on a small number of board members.
In light of these findings the Review has resulted in a number of recommendations being made by the CBI to improve the risk management function, in the following areas:
- Improving the risk management structure and framework in credit unions: this includes removing the siloed approach in some credit unions and ensuring there is more of a role for the first line of the defence (i.e. the front line staff) in the identification of risks and engagement with the Risk Management Officer in circumstances where the Review found that there was a low level of engagement from them and that half of credit unions in the sample had no formal process for front-line staff to report existing or potential new risks.
- Improving the quality and frequency of reporting on the identified risks and mitigations in place. The Review found a disconnect between the risk management function and the board and improvements to reports were needed to ensure board comprehensively understand the extent of the risks facing a credit union and make risk-related decisions accordingly.
- Improving the training for staff as well as the overall risk management culture of the credit union by increasing the engagement between the RMO, staff, management and the board to develop the attitude to risk management in the credit union. The Review determines that each credit union board should be responsible for establishing a training plan, formal risk management reporting and escalation processes for front-line staff and hold regular meetings with its risk management function with the aim of embedding risk management considerations into its decision-making.
The Review did observe a variance in the level of maturity and embeddedness of risk management in place across the sampled credit unions; but whilst the Review identified some examples of good risk management practises within credit unions – especially since 2013– it is concluded in the Review that the credit union industry has some way to go to meet the high standards of risk management expected of it. The Review suggests there is a clear need for credit unions to further evolve and embed their risk management frameworks and ensure their effective functioning.
In that regard, comprehensive areas for improvement and examples of good practice were set out in Report, which credit unions should review in detail and make any required changes to its risk management system, including updated risk management policies and processes to deal with the issues identified by the Review. This should not be a mere box-ticking, compliance exercise but practical steps should be taken to improve the overall risk management culture which should in turn should improve the financial and operational resilience of the credit union.
 The Registry conducted the Review in 12 credit unions, comprising of a review of documentation relating to risk management, together with a total of 36 separate interviews with the Risk Management Officer, CEO and representatives from the board of each credit union in the sample.
 (S.I. No. 1 of 2016)